package org.keycloak.authentication.requiredactions;

import jakarta.ws.rs.core.MultivaluedMap;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticatorUtil;
import org.keycloak.authentication.InitiatedActionSupport;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.common.util.Time;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.PasswordCredentialProviderFactory;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionConfigModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.userprofile.ValidationException;
import org.keycloak.utils.RequiredActionHelper;
import org.keycloak.validate.ValidationError;

/* loaded from: input_file:org/keycloak/authentication/requiredactions/UpdatePassword.class */
public class UpdatePassword implements RequiredActionProvider, RequiredActionFactory {
    private final KeycloakSession session;
    private static final Logger logger = Logger.getLogger(UpdatePassword.class);
    public static final String MAX_AUTH_AGE_KEY = "max_auth_age";
    private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = ProviderConfigurationBuilder.create().property().name(MAX_AUTH_AGE_KEY).label("Maximum Age of Authentication").helpText("Configures the duration in seconds this action can be used after the last authentication before the user is required to re-authenticate. This parameter is used just in the context of AIA when the kc_action parameter is available in the request, which is for instance when user himself updates his password in the account console. When the 'Maximum Authentication Age' password policy is used in the realm, it's value has precedence over the value configured here.").type("String").defaultValue(300).add().build();

    public InitiatedActionSupport initiatedActionSupport() {
        return InitiatedActionSupport.SUPPORTED;
    }

    @Deprecated
    public UpdatePassword() {
        this(null);
    }

    public UpdatePassword(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void evaluateTriggers(RequiredActionContext requiredActionContext) {
        int daysToExpirePassword;
        PasswordCredentialModel password;
        if (!AuthenticatorUtil.isPasswordValidated(requiredActionContext.getAuthenticationSession()) || (daysToExpirePassword = requiredActionContext.getRealm().getPasswordPolicy().getDaysToExpirePassword()) == -1 || (password = requiredActionContext.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID).getPassword(requiredActionContext.getRealm(), requiredActionContext.getUser())) == null) {
            return;
        }
        if (password.getCreatedDate() == null) {
            requiredActionContext.getUser().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            logger.debug("User is required to update password");
        } else if (Time.toMillis(Time.currentTime()) - password.getCreatedDate().longValue() > TimeUnit.DAYS.toMillis(daysToExpirePassword)) {
            requiredActionContext.getUser().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            logger.debug("User is required to update password");
        }
    }

    public void requiredActionChallenge(RequiredActionContext requiredActionContext) {
        requiredActionContext.challenge(requiredActionContext.form().setAttribute("username", requiredActionContext.getAuthenticationSession().getAuthenticatedUser().getUsername()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD));
    }

    public void processAction(RequiredActionContext requiredActionContext) {
        EventBuilder event = requiredActionContext.getEvent();
        AuthenticationSessionModel authenticationSession = requiredActionContext.getAuthenticationSession();
        UserModel user = requiredActionContext.getUser();
        MultivaluedMap decodedFormParameters = requiredActionContext.getHttpRequest().getDecodedFormParameters();
        event.event(EventType.UPDATE_CREDENTIAL);
        event.detail("credential_type", "password");
        EventBuilder event2 = event.clone().event(EventType.UPDATE_PASSWORD);
        String str = (String) decodedFormParameters.getFirst("password-new");
        String str2 = (String) decodedFormParameters.getFirst("password-confirm");
        EventBuilder user2 = event.clone().event(EventType.UPDATE_CREDENTIAL_ERROR).client(authenticationSession.getClient()).user(authenticationSession.getAuthenticatedUser());
        EventBuilder event3 = user2.clone().event(EventType.UPDATE_PASSWORD_ERROR);
        if (Validation.isBlank(str)) {
            requiredActionContext.challenge(requiredActionContext.form().setAttribute("username", authenticationSession.getAuthenticatedUser().getUsername()).addError(new FormMessage("password", Messages.MISSING_PASSWORD)).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD));
            user2.error("password_missing");
            event3.error("password_missing");
            return;
        }
        if (!str.equals(str2)) {
            requiredActionContext.challenge(requiredActionContext.form().setAttribute("username", authenticationSession.getAuthenticatedUser().getUsername()).addError(new FormMessage("password-confirm", Messages.NOTMATCH_PASSWORD)).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD));
            user2.error("password_confirm_error");
            event3.error("password_confirm_error");
            return;
        }
        if ("on".equals(decodedFormParameters.getFirst("logout-sessions"))) {
            AuthenticatorUtil.logoutOtherSessions(requiredActionContext);
        }
        try {
            user.credentialManager().updateCredential(UserCredentialModel.password(str, false));
            requiredActionContext.success();
            event2.success();
        } catch (ModelException e) {
            user2.detail("reason", e.getMessage()).error("password_rejected");
            event3.detail("reason", e.getMessage()).error("password_rejected");
            requiredActionContext.challenge(requiredActionContext.form().setAttribute("username", authenticationSession.getAuthenticatedUser().getUsername()).setError(e.getMessage(), e.getParameters()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD));
        } catch (Exception e2) {
            user2.detail("reason", e2.getMessage()).error("password_rejected");
            event3.detail("reason", e2.getMessage()).error("password_rejected");
            requiredActionContext.challenge(requiredActionContext.form().setAttribute("username", authenticationSession.getAuthenticatedUser().getUsername()).setError(e2.getMessage(), new Object[0]).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD));
        }
    }

    public void close() {
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public RequiredActionProvider m134create(KeycloakSession keycloakSession) {
        return new UpdatePassword(keycloakSession);
    }

    public void init(Config.Scope scope) {
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public String getDisplayText() {
        return "Update Password";
    }

    public String getId() {
        return UserModel.RequiredAction.UPDATE_PASSWORD.name();
    }

    public boolean isOneTimeAction() {
        return true;
    }

    public int getMaxAuthAge() {
        RequiredActionProviderModel requiredActionByProviderId;
        RequiredActionConfigModel requiredActionConfigByAlias;
        int parseMaxAuthAge;
        if (this.session == null) {
            return 300;
        }
        KeycloakContext context = this.session.getContext();
        RealmModel realm = context.getRealm();
        int maxAuthAge = realm.getPasswordPolicy().getMaxAuthAge();
        if (maxAuthAge >= 0) {
            return maxAuthAge;
        }
        AuthenticationSessionModel authenticationSession = context.getAuthenticationSession();
        if (authenticationSession == null || (requiredActionByProviderId = RequiredActionHelper.getRequiredActionByProviderId(realm, authenticationSession.getClientNote("kc_action"))) == null || (requiredActionConfigByAlias = realm.getRequiredActionConfigByAlias(requiredActionByProviderId.getAlias())) == null || !requiredActionConfigByAlias.containsConfigKey(MAX_AUTH_AGE_KEY) || (parseMaxAuthAge = parseMaxAuthAge(requiredActionConfigByAlias)) < 0) {
            return 300;
        }
        return parseMaxAuthAge;
    }

    public List<ProviderConfigProperty> getConfigMetadata() {
        return List.copyOf(CONFIG_PROPERTIES);
    }

    public void validateConfig(KeycloakSession keycloakSession, RealmModel realmModel, RequiredActionConfigModel requiredActionConfigModel) {
        try {
            if (parseMaxAuthAge(requiredActionConfigModel) < 0) {
                throw new ValidationException(new ValidationError(getId(), MAX_AUTH_AGE_KEY, "error-number-out-of-range-too-small", new Object[]{0}));
            }
        } catch (Exception e) {
            throw new ValidationException(new ValidationError(getId(), MAX_AUTH_AGE_KEY, "error-invalid-value"));
        }
    }

    private int parseMaxAuthAge(RequiredActionConfigModel requiredActionConfigModel) throws NumberFormatException {
        return Integer.parseInt(requiredActionConfigModel.getConfigValue(MAX_AUTH_AGE_KEY));
    }
}
